From owner-freebsd-ipfw@FreeBSD.ORG Sun May 18 07:26:48 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88AFF106564A; Sun, 18 May 2008 07:26:48 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id B26B38FC19; Sun, 18 May 2008 07:26:46 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id RAA09160; Sun, 18 May 2008 17:26:37 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 18 May 2008 17:26:36 +1000 (EST) From: Ian Smith To: Vivek Khera In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, FreeBSD Stable Subject: Re: how much memory does increasing max rules for IPFW take up? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2008 07:26:48 -0000 On Fri, 16 May 2008, Vivek Khera wrote: > How are the buckets used? Are they hashed per rule number or some > other mechanism? Nearly all of my states are from the same rule (eg, > on a mail server for the SMTP port rule). /sys/netinet/ip_fw.h /sys/netinet/ip_fw2.c Hashed per flow, (srcip^destip^srcport^dstport) mod curr_dyn_buckets, so packets for both directions of a given flow hash to the same bucket. In the case you mention, you could likely expect reasonable distribution by src_ip/src_port. The rule number doesn't contribute to the hash, but is contained in the dynamic rule entry, ie a matched flow resolves to its rule at the first check_state or keep_state rule encountered. Try searching for '_STATE'. Each bucket just contains a pointer, so on i386 I'd expect 1KB per 256 buckets, see realloc_dynamic_table. The 'pointees', ipfw_dyn_rule, are around 70? bytes each with 32-bit pointers, so 4K current dynamic rules should use around 280KB? Somebody yell if I'm badly miscalculating .. > How should I scale the buckets with the max rules? The default seems > to be 4096 rules and 256 buckets. Should I maintain that ratio? Sounds reasonable. Extra buckets look cheap, if I'm reading it right, and memory otherwise appears to be only allocated on use, per new flow, but I'm ignorant of any other memory allocation overheads. caveats: 5.5 sources; C is read-only here; not subscribed to -ipfw cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Sun May 18 19:09:12 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37C1C106564A for ; Sun, 18 May 2008 19:09:12 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from mail.telesweet.net (news.telesweet.net [194.110.252.16]) by mx1.freebsd.org (Postfix) with ESMTP id E71D88FC13 for ; Sun, 18 May 2008 19:09:11 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from localhost (localhost [127.0.0.1]) by mail.telesweet.net (Postfix) with ESMTP id C3AEAB82F for ; Sun, 18 May 2008 21:51:40 +0300 (EEST) X-Virus-Scanned: by Telesweet Mail Virus Scanner X-Spam-Flag: NO X-Spam-Score: -1.44 X-Spam-Level: X-Spam-Status: No, score=-1.44 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.44] Received: from [10.0.14.191] (pigeon.telesweet [10.0.14.191]) by mail.telesweet.net (Postfix) with ESMTP id 4BAD0B82C for ; Sun, 18 May 2008 21:51:26 +0300 (EEST) Message-ID: <48307AAE.9010906@samoylyk.sumy.ua> Date: Sun, 18 May 2008 21:51:26 +0300 From: Oleksandr Samoylyk User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=KOI8-U; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw and smtp port rewriting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2008 19:09:12 -0000 Hello freebsd-ipfw, I'd like to make smtp port rewriting for any destination by means of ipfw. With iptables I just used this rule in order to achieve this functionality: iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 2525 -j DNAT --to-destination :25 Reading man ipfw and playing a bit with rules I composed this rule, which doesn't however work: ipfw add fwd any,2525 tcp from any to any 25 via ${tun} How to achieve the same functionality as in iptables for smtp port rewriting for any destination? Thanks! -- Oleksandr Samoylyk OVS-RIPE From owner-freebsd-ipfw@FreeBSD.ORG Sun May 18 23:05:51 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AAA74106566C for ; Sun, 18 May 2008 23:05:51 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outQ.internet-mail-service.net (outq.internet-mail-service.net [216.240.47.240]) by mx1.freebsd.org (Postfix) with ESMTP id 9740F8FC1F for ; Sun, 18 May 2008 23:05:51 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Mon, 19 May 2008 08:19:22 -0700 Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id DFB352D6004; Sun, 18 May 2008 15:53:50 -0700 (PDT) Message-ID: <4830B37F.3020207@elischer.org> Date: Sun, 18 May 2008 18:53:51 -0400 From: Julian Elischer User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Oleksandr Samoylyk References: <48307AAE.9010906@samoylyk.sumy.ua> In-Reply-To: <48307AAE.9010906@samoylyk.sumy.ua> Content-Type: text/plain; charset=KOI8-U; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and smtp port rewriting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2008 23:05:51 -0000 Oleksandr Samoylyk wrote: > Hello freebsd-ipfw, > > I'd like to make smtp port rewriting for any destination by means of ipfw. > > With iptables I just used this rule in order to achieve this functionality: > > iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 2525 -j DNAT > --to-destination :25 > > Reading man ipfw and playing a bit with rules I composed this rule, > which doesn't however work: > > ipfw add fwd any,2525 tcp from any to any 25 via ${tun} > > How to achieve the same functionality as in iptables for smtp port > rewriting for any destination? > > Thanks! > in current (and I think 7.0) you can use the 'nat' keyword and may be able to achieve something with that.. just an idea. fwd doesn't change the packet, jsut what you DO with the packet so 'fwd'ing to a different port is only effective if you are accepting the packet yourself, and not if you are sending it to the next hop. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 19 11:06:54 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5EFF210656ED for ; Mon, 19 May 2008 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 452908FC24 for ; Mon, 19 May 2008 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4JB6svT011603 for ; Mon, 19 May 2008 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4JB6r5H011599 for freebsd-ipfw@FreeBSD.org; Mon, 19 May 2008 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 19 May 2008 11:06:53 GMT Message-Id: <200805191106.m4JB6r5H011599@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 11:06:54 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 16 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] [request] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip 30 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 19 14:18:32 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F1FC106566B for ; Mon, 19 May 2008 14:18:32 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from mail.telesweet.net (news.telesweet.net [194.110.252.16]) by mx1.freebsd.org (Postfix) with ESMTP id EECBE8FC1E for ; Mon, 19 May 2008 14:18:31 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from localhost (localhost [127.0.0.1]) by mail.telesweet.net (Postfix) with ESMTP id 18156B83B; Mon, 19 May 2008 17:18:29 +0300 (EEST) X-Virus-Scanned: by Telesweet Mail Virus Scanner X-Spam-Flag: NO X-Spam-Score: -1.44 X-Spam-Level: X-Spam-Status: No, score=-1.44 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.44] Received: from [10.0.0.109] (pigeon-work.telesweet [10.0.0.109]) by mail.telesweet.net (Postfix) with ESMTP id 60BD9B825; Mon, 19 May 2008 17:18:14 +0300 (EEST) Message-ID: <48318C25.2090703@samoylyk.sumy.ua> Date: Mon, 19 May 2008 17:18:13 +0300 From: Oleksandr Samoylyk User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: Paolo Pisati References: <48307AAE.9010906@samoylyk.sumy.ua> <20080519141602.GB7648@tin.it> In-Reply-To: <20080519141602.GB7648@tin.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and smtp port rewriting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 14:18:32 -0000 Paolo Pisati wrote: > On Sun, May 18, 2008 at 09:51:26PM +0300, Oleksandr Samoylyk wrote: >> Hello freebsd-ipfw, >> >> I'd like to make smtp port rewriting for any destination by means of ipfw. >> >> With iptables I just used this rule in order to achieve this functionality: >> >> iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 2525 -j DNAT >> --to-destination :25 > > ipfw nat 123 config redirect_port tcp YOURIP:2525 25 > ipfw add nat 123 tcp from any to any > > or something along the line. > Will it work for any destination? -- Oleksandr Samoylyk OVS-RIPE From owner-freebsd-ipfw@FreeBSD.ORG Mon May 19 14:38:34 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0074E1065671 for ; Mon, 19 May 2008 14:38:34 +0000 (UTC) (envelope-from piso@southcross.wired.org) Received: from mail.oltrelinux.com (krisma.oltrelinux.com [194.242.226.43]) by mx1.freebsd.org (Postfix) with ESMTP id AA8598FC16 for ; Mon, 19 May 2008 14:38:33 +0000 (UTC) (envelope-from piso@southcross.wired.org) Received: from southcross.wired.org (host-84-221-96-226.cust-adsl.tiscali.it [84.221.96.226]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.oltrelinux.com (Postfix) with ESMTP id 90A8D11AE4F; Mon, 19 May 2008 16:38:33 +0200 (CEST) Received: (from piso@localhost) by southcross.wired.org (8.14.2/8.14.2/Submit) id m4JEceXb008122; Mon, 19 May 2008 16:38:40 +0200 (CEST) (envelope-from piso) Date: Mon, 19 May 2008 16:38:39 +0200 From: Paolo Pisati To: Oleksandr Samoylyk Message-ID: <20080519143839.GA8082@tin.it> References: <48307AAE.9010906@samoylyk.sumy.ua> <20080519141602.GB7648@tin.it> <48318C25.2090703@samoylyk.sumy.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48318C25.2090703@samoylyk.sumy.ua> User-Agent: Mutt/1.5.17 (2007-11-01) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at krisma.oltrelinux.com Cc: freebsd-ipfw@FreeBSD.org Subject: Re: ipfw and smtp port rewriting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 14:38:34 -0000 On Mon, May 19, 2008 at 05:18:13PM +0300, Oleksandr Samoylyk wrote: > > Will it work for any destination? redirect_port tcp $fooip:666 999 incoming tcp packets destined for port 999 will be redirected to $fooip port 666. See redirect modes in natd(8) for more info. -- bye, P. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 19 14:45:55 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFCCD106564A for ; Mon, 19 May 2008 14:45:55 +0000 (UTC) (envelope-from piso@southcross.wired.org) Received: from mail.oltrelinux.com (krisma.oltrelinux.com [194.242.226.43]) by mx1.freebsd.org (Postfix) with ESMTP id 65A1E8FC1E for ; Mon, 19 May 2008 14:45:55 +0000 (UTC) (envelope-from piso@southcross.wired.org) Received: from southcross.wired.org (host-84-221-96-226.cust-adsl.tiscali.it [84.221.96.226]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.oltrelinux.com (Postfix) with ESMTP id BE18411AE4F; Mon, 19 May 2008 16:16:04 +0200 (CEST) Received: (from piso@localhost) by southcross.wired.org (8.14.2/8.14.2/Submit) id m4JEG4a8007949; Mon, 19 May 2008 16:16:04 +0200 (CEST) (envelope-from piso) Date: Mon, 19 May 2008 16:16:03 +0200 From: Paolo Pisati To: Oleksandr Samoylyk Message-ID: <20080519141602.GB7648@tin.it> References: <48307AAE.9010906@samoylyk.sumy.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48307AAE.9010906@samoylyk.sumy.ua> User-Agent: Mutt/1.5.17 (2007-11-01) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at krisma.oltrelinux.com Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and smtp port rewriting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 14:45:55 -0000 On Sun, May 18, 2008 at 09:51:26PM +0300, Oleksandr Samoylyk wrote: > Hello freebsd-ipfw, > > I'd like to make smtp port rewriting for any destination by means of ipfw. > > With iptables I just used this rule in order to achieve this functionality: > > iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 2525 -j DNAT > --to-destination :25 ipfw nat 123 config redirect_port tcp YOURIP:2525 25 ipfw add nat 123 tcp from any to any or something along the line. -- bye, P. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 19 16:13:21 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DE28106567E; Mon, 19 May 2008 16:13:21 +0000 (UTC) (envelope-from vivek@khera.org) Received: from yertle.kcilink.com (thingy.kcilink.com [74.92.149.59]) by mx1.freebsd.org (Postfix) with ESMTP id 0B9FA8FC0C; Mon, 19 May 2008 16:13:20 +0000 (UTC) (envelope-from vivek@khera.org) Received: from host-121.int.kcilink.com (host-121.int.kcilink.com [192.168.7.121]) by yertle.kcilink.com (Postfix) with ESMTP id 6D5128A0AD; Mon, 19 May 2008 12:13:20 -0400 (EDT) Message-Id: <43327C1A-AF98-4076-AAE4-3A59F6FC074E@khera.org> From: Vivek Khera To: Ian Smith In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Mon, 19 May 2008 12:13:20 -0400 References: X-Mailer: Apple Mail (2.919.2) Cc: freebsd-ipfw@freebsd.org, FreeBSD Stable Subject: Re: how much memory does increasing max rules for IPFW take up? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 16:13:21 -0000 On May 18, 2008, at 3:26 AM, Ian Smith wrote: > Hashed per flow, (srcip^destip^srcport^dstport) mod > curr_dyn_buckets, so > packets for both directions of a given flow hash to the same > bucket. In > the case you mention, you could likely expect reasonable > distribution by > src_ip/src_port. Thanks for the detailed info. This really helps. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 19 20:20:04 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C8A0D106564A for ; Mon, 19 May 2008 20:20:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B8BE68FC0A for ; Mon, 19 May 2008 20:20:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4JKK490063839 for ; Mon, 19 May 2008 20:20:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4JKK4Cd063838; Mon, 19 May 2008 20:20:04 GMT (envelope-from gnats) Date: Mon, 19 May 2008 20:20:04 GMT Message-Id: <200805192020.m4JKK4Cd063838@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: "Joost Bekkers" Cc: Subject: Re: kern/117234: [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't seem to support IPV6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Joost Bekkers List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 20:20:04 -0000 The following reply was made to PR kern/117234; it has been noted by GNATS. From: "Joost Bekkers" To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/117234: [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't seem to support IPV6 Date: Mon, 19 May 2008 22:15:20 +0200 (CEST) ------=_20080519221520_63844 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Found the problem. Two hton() statements went missing with the original patch from mlaier@. I've attatched a corrected version of the original diff and one against 7.0R ------=_20080519221520_63844 Content-Type: application/octet-stream; name="ipfw_v6send.diff" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ipfw_v6send.diff" SW5kZXg6IGlwX2Z3Mi5jCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT0KUkNTIGZpbGU6IC9ob21lL25jdnMvc3JjL3N5cy9u ZXRpbmV0L2lwX2Z3Mi5jLHYKcmV0cmlldmluZyByZXZpc2lvbiAxLjE3NQpkaWZmIC11IC1yMS4x NzUgaXBfZncyLmMKLS0tIGlwX2Z3Mi5jCTcgT2N0IDIwMDcgMjA6NDQ6MjMgLTAwMDAJMS4xNzUK KysrIGlwX2Z3Mi5jCTE5IE9jdCAyMDA3IDEyOjM4OjE2IC0wMDAwCkBAIC05OCw2ICs5OCw3IEBA CiAjaW5jbHVkZSA8bmV0aW5ldC9pcDYuaD4KICNpbmNsdWRlIDxuZXRpbmV0L2ljbXA2Lmg+CiAj aWZkZWYgSU5FVDYKKyNpbmNsdWRlIDxuZXRpbmV0Ni9pcDZfdmFyLmg+CiAjaW5jbHVkZSA8bmV0 aW5ldDYvc2NvcGU2X3Zhci5oPgogI2VuZGlmCiAKQEAgLTI0MSw2ICsyNDIsOSBAQAogI2RlZmlu ZQlJUEZXX0RZTl9VTkxPQ0soKQltdHhfdW5sb2NrKCZpcGZ3X2R5bl9tdHgpCiAjZGVmaW5lCUlQ RldfRFlOX0xPQ0tfQVNTRVJUKCkJbXR4X2Fzc2VydCgmaXBmd19keW5fbXR4LCBNQV9PV05FRCkK IAorc3RhdGljIHN0cnVjdCBtYnVmICpzZW5kX3BrdChzdHJ1Y3QgbWJ1ZiAqLCBzdHJ1Y3QgaXBm d19mbG93X2lkICosCisgICAgdV9pbnQzMl90LCB1X2ludDMyX3QsIGludCk7CisKIC8qCiAgKiBU aW1lb3V0cyBmb3IgdmFyaW91cyBldmVudHMgaW4gaGFuZGluZyBkeW5hbWljIHJ1bGVzLgogICov CkBAIC02NzEsNjcgKzY3NSwyNSBAQAogfQogCiBzdGF0aWMgdm9pZAotc2VuZF9yZWplY3Q2KHN0 cnVjdCBpcF9md19hcmdzICphcmdzLCBpbnQgY29kZSwgdV9pbnQgaGxlbiwgc3RydWN0IGlwNl9o ZHIgKmlwNikKK3NlbmRfcmVqZWN0NihzdHJ1Y3QgaXBfZndfYXJncyAqYXJncywgaW50IGNvZGUs IHVfaW50IGhsZW4sCisgICAgc3RydWN0IGlwNl9oZHIgKmlwNikKIHsKIAlzdHJ1Y3QgbWJ1ZiAq bTsKIAogCW0gPSBhcmdzLT5tOwogCWlmIChjb2RlID09IElDTVA2X1VOUkVBQ0hfUlNUICYmIGFy Z3MtPmZfaWQucHJvdG8gPT0gSVBQUk9UT19UQ1ApIHsKIAkJc3RydWN0IHRjcGhkciAqdGNwOwot CQl0Y3Bfc2VxIGFjaywgc2VxOwotCQlpbnQgZmxhZ3M7Ci0JCXN0cnVjdCB7Ci0JCQlzdHJ1Y3Qg aXA2X2hkciBpcDY7Ci0JCQlzdHJ1Y3QgdGNwaGRyIHRoOwotCQl9IHRpOwogCQl0Y3AgPSAoc3Ry dWN0IHRjcGhkciAqKSgoY2hhciAqKWlwNiArIGhsZW4pOwogCi0JCWlmICgodGNwLT50aF9mbGFn cyAmIFRIX1JTVCkgIT0gMCkgewotCQkJbV9mcmVlbShtKTsKLQkJCWFyZ3MtPm0gPSBOVUxMOwot CQkJcmV0dXJuOwotCQl9Ci0KLQkJdGkuaXA2ID0gKmlwNjsKLQkJdGkudGggPSAqdGNwOwotCQl0 aS50aC50aF9zZXEgPSBudG9obCh0aS50aC50aF9zZXEpOwotCQl0aS50aC50aF9hY2sgPSBudG9o bCh0aS50aC50aF9hY2spOwotCQl0aS5pcDYuaXA2X254dCA9IElQUFJPVE9fVENQOwotCi0JCWlm ICh0aS50aC50aF9mbGFncyAmIFRIX0FDSykgewotCQkJYWNrID0gMDsKLQkJCXNlcSA9IHRpLnRo LnRoX2FjazsKLQkJCWZsYWdzID0gVEhfUlNUOwotCQl9IGVsc2UgewotCQkJYWNrID0gdGkudGgu dGhfc2VxOwotCQkJaWYgKChtLT5tX2ZsYWdzICYgTV9QS1RIRFIpICE9IDApIHsKLQkJCQkvKgot CQkJCSAqIHRvdGFsIG5ldyBkYXRhIHRvIEFDSyBpczoKLQkJCQkgKiB0b3RhbCBwYWNrZXQgbGVu Z3RoLAotCQkJCSAqIG1pbnVzIHRoZSBoZWFkZXIgbGVuZ3RoLAotCQkJCSAqIG1pbnVzIHRoZSB0 Y3AgaGVhZGVyIGxlbmd0aC4KLQkJCQkgKi8KLQkJCQlhY2sgKz0gbS0+bV9wa3RoZHIubGVuIC0g aGxlbgotCQkJCQktICh0aS50aC50aF9vZmYgPDwgMik7Ci0JCQl9IGVsc2UgaWYgKGlwNi0+aXA2 X3BsZW4pIHsKLQkJCQlhY2sgKz0gbnRvaHMoaXA2LT5pcDZfcGxlbikgKyBzaXplb2YoKmlwNikg LQotCQkJCSAgICBobGVuIC0gKHRpLnRoLnRoX29mZiA8PCAyKTsKLQkJCX0gZWxzZSB7Ci0JCQkJ bV9mcmVlbShtKTsKLQkJCQlyZXR1cm47Ci0JCQl9Ci0JCQlpZiAodGNwLT50aF9mbGFncyAmIFRI X1NZTikKLQkJCQlhY2srKzsKLQkJCXNlcSA9IDA7Ci0JCQlmbGFncyA9IFRIX1JTVHxUSF9BQ0s7 CisJCWlmICgodGNwLT50aF9mbGFncyAmIFRIX1JTVCkgPT0gMCkgeworCQkJc3RydWN0IG1idWYg Km0wOworCQkJbTAgPSBzZW5kX3BrdChhcmdzLT5tLCAmKGFyZ3MtPmZfaWQpLAorCQkJCW50b2hs KHRjcC0+dGhfc2VxKSwgbnRvaGwodGNwLT50aF9hY2spLAorCQkJCXRjcC0+dGhfZmxhZ3MgfCBU SF9SU1QpOworCQkJaWYgKG0wICE9IE5VTEwpCisJCQkJaXA2X291dHB1dChtMCwgTlVMTCwgTlVM TCwgMCwgTlVMTCwgTlVMTCwgTlVMTCk7CiAJCX0KLQkJYmNvcHkoJnRpLCBpcDYsIHNpemVvZih0 aSkpOwotCQkvKgotCQkgKiBtIGlzIG9ubHkgdXNlZCB0byByZWN5Y2xlIHRoZSBtYnVmCi0JCSAq IFRoZSBkYXRhIGluIGl0IGlzIG5ldmVyIHJlYWQgc28gd2UgZG9uJ3QgbmVlZAotCQkgKiB0byBj b3JyZWN0IHRoZSBvZmZzZXRzIG9yIGFueXRoaW5nCi0JCSAqLwotCQl0Y3BfcmVzcG9uZChOVUxM LCBpcDYsIHRjcCwgbSwgYWNrLCBzZXEsIGZsYWdzKTsKKwkJbV9mcmVlbShtKTsKIAl9IGVsc2Ug aWYgKGNvZGUgIT0gSUNNUDZfVU5SRUFDSF9SU1QpIHsgLyogU2VuZCBhbiBJQ01QdjYgdW5yZWFj aC4gKi8KICNpZiAwCiAJCS8qCkBAIC0xNjA5LDEzICsxNTcxLDE2IEBACiAgICAgdV9pbnQzMl90 IGFjaywgaW50IGZsYWdzKQogewogCXN0cnVjdCBtYnVmICptOwotCXN0cnVjdCBpcCAqaXA7Ci0J c3RydWN0IHRjcGhkciAqdGNwOworCWludCBsZW4sIGRpcjsKKwlzdHJ1Y3QgaXAgKmggPSBOVUxM OwkJLyogc3R1cGlkIGNvbXBpbGVyICovCisjaWZkZWYgSU5FVDYKKwlzdHJ1Y3QgaXA2X2hkciAq aDYgPSBOVUxMOworI2VuZGlmCisJc3RydWN0IHRjcGhkciAqdGggPSBOVUxMOwogCiAJTUdFVEhE UihtLCBNX0RPTlRXQUlULCBNVF9EQVRBKTsKLQlpZiAobSA9PSAwKQorCWlmIChtID09IE5VTEwp CiAJCXJldHVybiAoTlVMTCk7Ci0JbS0+bV9wa3RoZHIucmN2aWYgPSAoc3RydWN0IGlmbmV0ICop MDsKIAogI2lmZGVmIE1BQwogCWlmIChyZXBseXRvICE9IE5VTEwpCkBAIC0xNjI2LDY3ICsxNTkx LDExOCBAQAogCSh2b2lkKXJlcGx5dG87CQkvKiBkb24ndCB3YXJuIGFib3V0IHVudXNlZCBhcmcg Ki8KICNlbmRpZgogCi0JbS0+bV9wa3RoZHIubGVuID0gbS0+bV9sZW4gPSBzaXplb2Yoc3RydWN0 IGlwKSArIHNpemVvZihzdHJ1Y3QgdGNwaGRyKTsKKwlzd2l0Y2ggKGlkLT5hZGRyX3R5cGUpIHsK KwljYXNlIDQ6CisJCWxlbiA9IHNpemVvZihzdHJ1Y3QgaXApICsgc2l6ZW9mKHN0cnVjdCB0Y3Bo ZHIpOworCQlicmVhazsKKyNpZmRlZiBJTkVUNgorCWNhc2UgNjoKKwkJbGVuID0gc2l6ZW9mKHN0 cnVjdCBpcDZfaGRyKSArIHNpemVvZihzdHJ1Y3QgdGNwaGRyKTsKKwkJYnJlYWs7CisjZW5kaWYK KwlkZWZhdWx0OgorCQkvKiBYWFg6IGxvZyBtZT8hPyAqLworCQltX2ZyZWVtKG0pOworCQlyZXR1 cm4gKE5VTEwpOworCX0KKwlkaXIgPSAoKGZsYWdzICYgKFRIX1NZTiB8IFRIX1JTVCkpID09IFRI X1NZTik7CisKIAltLT5tX2RhdGEgKz0gbWF4X2xpbmtoZHI7CisJbS0+bV9mbGFncyB8PSBNX1NL SVBfRklSRVdBTEw7CisJbS0+bV9wa3RoZHIubGVuID0gbS0+bV9sZW4gPSBsZW47CisJbS0+bV9w a3RoZHIucmN2aWYgPSBOVUxMOworCWJ6ZXJvKG0tPm1fZGF0YSwgbGVuKTsKKworCXN3aXRjaCAo aWQtPmFkZHJfdHlwZSkgeworCWNhc2UgNDoKKwkJaCA9IG10b2QobSwgc3RydWN0IGlwICopOwor CisJCS8qIHByZXBhcmUgZm9yIGNoZWNrc3VtICovCisJCWgtPmlwX3AgPSBJUFBST1RPX1RDUDsK KwkJaC0+aXBfbGVuID0gaHRvbnMoc2l6ZW9mKHN0cnVjdCB0Y3BoZHIpKTsKKwkJaWYgKGRpcikg eworCQkJaC0+aXBfc3JjLnNfYWRkciA9IGh0b25sKGlkLT5zcmNfaXApOworCQkJaC0+aXBfZHN0 LnNfYWRkciA9IGh0b25sKGlkLT5kc3RfaXApOworCQl9IGVsc2UgeworCQkJaC0+aXBfc3JjLnNf YWRkciA9IGh0b25sKGlkLT5kc3RfaXApOworCQkJaC0+aXBfZHN0LnNfYWRkciA9IGh0b25sKGlk LT5zcmNfaXApOworCQl9CiAKLQlpcCA9IG10b2QobSwgc3RydWN0IGlwICopOwotCWJ6ZXJvKGlw LCBtLT5tX2xlbik7Ci0JdGNwID0gKHN0cnVjdCB0Y3BoZHIgKikoaXAgKyAxKTsgLyogbm8gSVAg b3B0aW9ucyAqLwotCWlwLT5pcF9wID0gSVBQUk9UT19UQ1A7Ci0JdGNwLT50aF9vZmYgPSA1Owot CS8qCi0JICogQXNzdW1lIHdlIGFyZSBzZW5kaW5nIGEgUlNUIChvciBhIGtlZXBhbGl2ZSBpbiB0 aGUgcmV2ZXJzZQotCSAqIGRpcmVjdGlvbiksIHN3YXAgc3JjIGFuZCBkZXN0aW5hdGlvbiBhZGRy ZXNzZXMgYW5kIHBvcnRzLgotCSAqLwotCWlwLT5pcF9zcmMuc19hZGRyID0gaHRvbmwoaWQtPmRz dF9pcCk7Ci0JaXAtPmlwX2RzdC5zX2FkZHIgPSBodG9ubChpZC0+c3JjX2lwKTsKLQl0Y3AtPnRo X3Nwb3J0ID0gaHRvbnMoaWQtPmRzdF9wb3J0KTsKLQl0Y3AtPnRoX2Rwb3J0ID0gaHRvbnMoaWQt PnNyY19wb3J0KTsKLQlpZiAoZmxhZ3MgJiBUSF9SU1QpIHsJLyogd2UgYXJlIHNlbmRpbmcgYSBS U1QgKi8KKwkJdGggPSAoc3RydWN0IHRjcGhkciAqKShoICsgMSk7CisJCWJyZWFrOworI2lmZGVm IElORVQ2CisJY2FzZSA2OgorCQloNiA9IG10b2QobSwgc3RydWN0IGlwNl9oZHIgKik7CisKKwkJ LyogcHJlcGFyZSBmb3IgY2hlY2tzdW0gKi8KKwkJaDYtPmlwNl9ueHQgPSBJUFBST1RPX1RDUDsK KwkJaDYtPmlwNl9wbGVuID0gaHRvbnMoc2l6ZW9mKHN0cnVjdCB0Y3BoZHIpKTsKKwkJaWYgKGRp cikgeworCQkJaDYtPmlwNl9zcmMgPSBpZC0+c3JjX2lwNjsKKwkJCWg2LT5pcDZfZHN0ID0gaWQt PmRzdF9pcDY7CisJCX0gZWxzZSB7CisJCQloNi0+aXA2X3NyYyA9IGlkLT5kc3RfaXA2OworCQkJ aDYtPmlwNl9kc3QgPSBpZC0+c3JjX2lwNjsKKwkJfQorCisJCXRoID0gKHN0cnVjdCB0Y3BoZHIg KikoaDYgKyAxKTsKKwkJYnJlYWs7CisjZW5kaWYKKwl9CisKKwlpZiAoZGlyKSB7CisJCXRoLT50 aF9zcG9ydCA9IGh0b25zKGlkLT5zcmNfcG9ydCk7CisJCXRoLT50aF9kcG9ydCA9IGh0b25zKGlk LT5kc3RfcG9ydCk7CisJfSBlbHNlIHsKKwkJdGgtPnRoX3Nwb3J0ID0gaHRvbnMoaWQtPmRzdF9w b3J0KTsKKwkJdGgtPnRoX2Rwb3J0ID0gaHRvbnMoaWQtPnNyY19wb3J0KTsKKwl9CisJdGgtPnRo X29mZiA9IHNpemVvZihzdHJ1Y3QgdGNwaGRyKSA+PiAyOworCisJaWYgKGZsYWdzICYgVEhfUlNU KSB7CiAJCWlmIChmbGFncyAmIFRIX0FDSykgewotCQkJdGNwLT50aF9zZXEgPSBodG9ubChhY2sp OwotCQkJdGNwLT50aF9hY2sgPSBodG9ubCgwKTsKLQkJCXRjcC0+dGhfZmxhZ3MgPSBUSF9SU1Q7 CisJCQl0aC0+dGhfc2VxID0gaHRvbmwoYWNrKTsKKwkJCXRoLT50aF9mbGFncyA9IFRIX1JTVDsK IAkJfSBlbHNlIHsKIAkJCWlmIChmbGFncyAmIFRIX1NZTikKIAkJCQlzZXErKzsKLQkJCXRjcC0+ dGhfc2VxID0gaHRvbmwoMCk7Ci0JCQl0Y3AtPnRoX2FjayA9IGh0b25sKHNlcSk7Ci0JCQl0Y3At PnRoX2ZsYWdzID0gVEhfUlNUIHwgVEhfQUNLOworCQkJdGgtPnRoX2FjayA9IGh0b25sKHNlcSk7 CisJCQl0aC0+dGhfZmxhZ3MgPSBUSF9SU1QgfCBUSF9BQ0s7CiAJCX0KIAl9IGVsc2UgewogCQkv KgotCQkgKiBXZSBhcmUgc2VuZGluZyBhIGtlZXBhbGl2ZS4gZmxhZ3MgJiBUSF9TWU4gZGV0ZXJt aW5lcwotCQkgKiB0aGUgZGlyZWN0aW9uLCBmb3J3YXJkIGlmIHNldCwgcmV2ZXJzZSBpZiBjbGVh ci4KLQkJICogTk9URTogc2VxIGFuZCBhY2sgYXJlIGFsd2F5cyBhc3N1bWVkIHRvIGJlIGNvcnJl Y3QKLQkJICogYXMgc2V0IGJ5IHRoZSBjYWxsZXIuIFRoaXMgbWF5IGJlIGNvbmZ1c2luZy4uLgor CQkgKiBLZWVwYWxpdmUgLSB1c2UgY2FsbGVyIHByb3ZpZGVkIHNlcXVlbmNlIG51bWJlcnMKIAkJ ICovCi0JCWlmIChmbGFncyAmIFRIX1NZTikgewotCQkJLyoKLQkJCSAqIHdlIGhhdmUgdG8gcmV3 cml0ZSB0aGUgY29ycmVjdCBhZGRyZXNzZXMhCi0JCQkgKi8KLQkJCWlwLT5pcF9kc3Quc19hZGRy ID0gaHRvbmwoaWQtPmRzdF9pcCk7Ci0JCQlpcC0+aXBfc3JjLnNfYWRkciA9IGh0b25sKGlkLT5z cmNfaXApOwotCQkJdGNwLT50aF9kcG9ydCA9IGh0b25zKGlkLT5kc3RfcG9ydCk7Ci0JCQl0Y3At PnRoX3Nwb3J0ID0gaHRvbnMoaWQtPnNyY19wb3J0KTsKLQkJfQotCQl0Y3AtPnRoX3NlcSA9IGh0 b25sKHNlcSk7Ci0JCXRjcC0+dGhfYWNrID0gaHRvbmwoYWNrKTsKLQkJdGNwLT50aF9mbGFncyA9 IFRIX0FDSzsKKwkJdGgtPnRoX3NlcSA9IGh0b25sKHNlcSk7CisJCXRoLT50aF9hY2sgPSBodG9u bChhY2spOworCQl0aC0+dGhfZmxhZ3MgPSBUSF9BQ0s7CisJfQorCisJc3dpdGNoIChpZC0+YWRk cl90eXBlKSB7CisJY2FzZSA0OgorCQl0aC0+dGhfc3VtID0gaW5fY2tzdW0obSwgbGVuKTsKKwor CQkvKiBmaW5pc2ggdGhlIGlwIGhlYWRlciAqLworCQloLT5pcF92ID0gNDsKKwkJaC0+aXBfaGwg PSBzaXplb2YoKmgpID4+IDI7CisJCWgtPmlwX3RvcyA9IElQVE9TX0xPV0RFTEFZOworCQloLT5p cF9vZmYgPSAwOworCQloLT5pcF9sZW4gPSBsZW47CisJCWgtPmlwX3R0bCA9IGlwX2RlZnR0bDsK KwkJaC0+aXBfc3VtID0gMDsKKwkJYnJlYWs7CisjaWZkZWYgSU5FVDYKKwljYXNlIDY6CisJCXRo LT50aF9zdW0gPSBpbjZfY2tzdW0obSwgSVBQUk9UT19UQ1AsIHNpemVvZigqaDYpLAorCQkgICAg c2l6ZW9mKHN0cnVjdCB0Y3BoZHIpKTsKKworCQkvKiBmaW5pc2ggdGhlIGlwNiBoZWFkZXIgKi8K KwkJaDYtPmlwNl92ZmMgfD0gSVBWNl9WRVJTSU9OOworCQloNi0+aXA2X2hsaW0gPSBJUFY2X0RF RkhMSU07CisJCWJyZWFrOworI2VuZGlmCiAJfQotCS8qCi0JICogc2V0IGlwX2xlbiB0byB0aGUg cGF5bG9hZCBzaXplIHNvIHdlIGNhbiBjb21wdXRlCi0JICogdGhlIHRjcCBjaGVja3N1bSBvbiB0 aGUgcHNldWRvaGVhZGVyCi0JICogWFhYIGNoZWNrIHRoaXMsIGNvdWxkIHNhdmUgYSBjb3VwbGUg b2Ygd29yZHMgPwotCSAqLwotCWlwLT5pcF9sZW4gPSBodG9ucyhzaXplb2Yoc3RydWN0IHRjcGhk cikpOwotCXRjcC0+dGhfc3VtID0gaW5fY2tzdW0obSwgbS0+bV9wa3RoZHIubGVuKTsKLQkvKgot CSAqIG5vdyBmaWxsIGZpZWxkcyBsZWZ0IG91dCBlYXJsaWVyCi0JICovCi0JaXAtPmlwX3R0bCA9 IGlwX2RlZnR0bDsKLQlpcC0+aXBfbGVuID0gbS0+bV9wa3RoZHIubGVuOwotCW0tPm1fZmxhZ3Mg fD0gTV9TS0lQX0ZJUkVXQUxMOworCiAJcmV0dXJuIChtKTsKIH0KIApAQCAtNDg2MCw2ICs0ODc2 LDkgQEAKIGlwZndfdGljayh2b2lkICogX191bnVzZWQgdW51c2VkKQogewogCXN0cnVjdCBtYnVm ICptMCwgKm0sICptbmV4dCwgKiptdGFpbHA7CisjaWZkZWYgSU5FVDYKKwlzdHJ1Y3QgbWJ1ZiAq bTYsICoqbTZfdGFpbHA7CisjZW5kaWYKIAlpbnQgaTsKIAlpcGZ3X2R5bl9ydWxlICpxOwogCkBA IC00ODc0LDYgKzQ4OTMsMTAgQEAKIAkgKi8KIAltMCA9IE5VTEw7CiAJbXRhaWxwID0gJm0wOwor I2lmZGVmIElORVQ2CisJbTYgPSBOVUxMOworCW02X3RhaWxwID0gJm02OworI2VuZGlmCiAJSVBG V19EWU5fTE9DSygpOwogCWZvciAoaSA9IDAgOyBpIDwgY3Vycl9keW5fYnVja2V0cyA7IGkrKykg ewogCQlmb3IgKHEgPSBpcGZ3X2R5bl92W2ldIDsgcSA7IHEgPSBxLT5uZXh0ICkgewpAQCAtNDg4 OSwxNCArNDkxMiwzNyBAQAogCQkJaWYgKFRJTUVfTEVRKHEtPmV4cGlyZSwgdGltZV91cHRpbWUp KQogCQkJCWNvbnRpbnVlOwkvKiB0b28gbGF0ZSwgcnVsZSBleHBpcmVkICovCiAKLQkJCSptdGFp bHAgPSBzZW5kX3BrdChOVUxMLCAmKHEtPmlkKSwgcS0+YWNrX3JldiAtIDEsCisJCQltID0gc2Vu ZF9wa3QoTlVMTCwgJihxLT5pZCksIHEtPmFja19yZXYgLSAxLAogCQkJCXEtPmFja19md2QsIFRI X1NZTik7Ci0JCQlpZiAoKm10YWlscCAhPSBOVUxMKQotCQkJCW10YWlscCA9ICYoKm10YWlscCkt Pm1fbmV4dHBrdDsKLQkJCSptdGFpbHAgPSBzZW5kX3BrdChOVUxMLCAmKHEtPmlkKSwgcS0+YWNr X2Z3ZCAtIDEsCisJCQltbmV4dCA9IHNlbmRfcGt0KE5VTEwsICYocS0+aWQpLCBxLT5hY2tfZndk IC0gMSwKIAkJCQlxLT5hY2tfcmV2LCAwKTsKLQkJCWlmICgqbXRhaWxwICE9IE5VTEwpCi0JCQkJ bXRhaWxwID0gJigqbXRhaWxwKS0+bV9uZXh0cGt0OworCisJCQlzd2l0Y2ggKHEtPmlkLmFkZHJf dHlwZSkgeworCQkJY2FzZSA0OgorCQkJCWlmIChtICE9IE5VTEwpIHsKKwkJCQkJKm10YWlscCA9 IG07CisJCQkJCW10YWlscCA9ICYoKm10YWlscCktPm1fbmV4dHBrdDsKKwkJCQl9CisJCQkJaWYg KG1uZXh0ICE9IE5VTEwpIHsKKwkJCQkJKm10YWlscCA9IG1uZXh0OworCQkJCQltdGFpbHAgPSAm KCptdGFpbHApLT5tX25leHRwa3Q7CisJCQkJfQorCQkJCWJyZWFrOworI2lmZGVmIElORVQ2CisJ CQljYXNlIDY6CisJCQkJaWYgKG0gIT0gTlVMTCkgeworCQkJCQkqbTZfdGFpbHAgPSBtOworCQkJ CQltNl90YWlscCA9ICYoKm02X3RhaWxwKS0+bV9uZXh0cGt0OworCQkJCX0KKwkJCQlpZiAobW5l eHQgIT0gTlVMTCkgeworCQkJCQkqbTZfdGFpbHAgPSBtbmV4dDsKKwkJCQkJbTZfdGFpbHAgPSAm KCptNl90YWlscCktPm1fbmV4dHBrdDsKKwkJCQl9CisJCQkJYnJlYWs7CisjZW5kaWYKKwkJCX0K KworCQkJbSA9IG1uZXh0ID0gTlVMTDsKIAkJfQogCX0KIAlJUEZXX0RZTl9VTkxPQ0soKTsKQEAg LTQ5MDUsNiArNDk1MSwxMyBAQAogCQltLT5tX25leHRwa3QgPSBOVUxMOwogCQlpcF9vdXRwdXQo bSwgTlVMTCwgTlVMTCwgMCwgTlVMTCwgTlVMTCk7CiAJfQorI2lmZGVmIElORVQ2CisJZm9yICht ID0gbW5leHQgPSBtNjsgbSAhPSBOVUxMOyBtID0gbW5leHQpIHsKKwkJbW5leHQgPSBtLT5tX25l eHRwa3Q7CisJCW0tPm1fbmV4dHBrdCA9IE5VTEw7CisJCWlwNl9vdXRwdXQobSwgTlVMTCwgTlVM TCwgMCwgTlVMTCwgTlVMTCwgTlVMTCk7CisJfQorI2VuZGlmCiBkb25lOgogCWNhbGxvdXRfcmVz ZXQoJmlwZndfdGltZW91dCwgZHluX2tlZXBhbGl2ZV9wZXJpb2QqaHosIGlwZndfdGljaywgTlVM TCk7CiB9CgotLUJvdW5kYXJ5LTAwPV9vd09JSFFXSmxoOEwxNWgtLQo= ------=_20080519221520_63844 Content-Type: application/octet-stream; name="ipfw_v6send_70R.diff" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ipfw_v6send_70R.diff" LS0tIGlwX2Z3Mi5jLm9yaWcJMjAwOC0wMS0yOCAxNzo0NDozMC4wMDAwMDAwMDAgKzAwMDAKKysr IGlwX2Z3Mi5jCTIwMDgtMDUtMTkgMjE6NDU6MjcuMDAwMDAwMDAwICswMDAwCkBAIC0xMDEsNiAr MTAxLDcgQEAKICNpbmNsdWRlIDxuZXRpbmV0L2lwNi5oPgogI2luY2x1ZGUgPG5ldGluZXQvaWNt cDYuaD4KICNpZmRlZiBJTkVUNgorI2luY2x1ZGUgPG5ldGluZXQ2L2lwNl92YXIuaD4KICNpbmNs dWRlIDxuZXRpbmV0Ni9zY29wZTZfdmFyLmg+CiAjZW5kaWYKIApAQCAtMjQ0LDYgKzI0NSw5IEBA CiAjZGVmaW5lCUlQRldfRFlOX1VOTE9DSygpCW10eF91bmxvY2soJmlwZndfZHluX210eCkKICNk ZWZpbmUJSVBGV19EWU5fTE9DS19BU1NFUlQoKQltdHhfYXNzZXJ0KCZpcGZ3X2R5bl9tdHgsIE1B X09XTkVEKQogCitzdGF0aWMgc3RydWN0IG1idWYgKnNlbmRfcGt0KHN0cnVjdCBtYnVmICosIHN0 cnVjdCBpcGZ3X2Zsb3dfaWQgKiwKKyAgICB1X2ludDMyX3QsIHVfaW50MzJfdCwgaW50KTsKKwog LyoKICAqIFRpbWVvdXRzIGZvciB2YXJpb3VzIGV2ZW50cyBpbiBoYW5kaW5nIGR5bmFtaWMgcnVs ZXMuCiAgKi8KQEAgLTY3NCw2NyArNjc4LDI1IEBACiB9CiAKIHN0YXRpYyB2b2lkCi1zZW5kX3Jl amVjdDYoc3RydWN0IGlwX2Z3X2FyZ3MgKmFyZ3MsIGludCBjb2RlLCB1X2ludCBobGVuLCBzdHJ1 Y3QgaXA2X2hkciAqaXA2KQorc2VuZF9yZWplY3Q2KHN0cnVjdCBpcF9md19hcmdzICphcmdzLCBp bnQgY29kZSwgdV9pbnQgaGxlbiwKKyAgICBzdHJ1Y3QgaXA2X2hkciAqaXA2KQogewogCXN0cnVj dCBtYnVmICptOwogCiAJbSA9IGFyZ3MtPm07CiAJaWYgKGNvZGUgPT0gSUNNUDZfVU5SRUFDSF9S U1QgJiYgYXJncy0+Zl9pZC5wcm90byA9PSBJUFBST1RPX1RDUCkgewogCQlzdHJ1Y3QgdGNwaGRy ICp0Y3A7Ci0JCXRjcF9zZXEgYWNrLCBzZXE7Ci0JCWludCBmbGFnczsKLQkJc3RydWN0IHsKLQkJ CXN0cnVjdCBpcDZfaGRyIGlwNjsKLQkJCXN0cnVjdCB0Y3BoZHIgdGg7Ci0JCX0gdGk7CiAJCXRj cCA9IChzdHJ1Y3QgdGNwaGRyICopKChjaGFyICopaXA2ICsgaGxlbik7CiAKLQkJaWYgKCh0Y3At PnRoX2ZsYWdzICYgVEhfUlNUKSAhPSAwKSB7Ci0JCQltX2ZyZWVtKG0pOwotCQkJYXJncy0+bSA9 IE5VTEw7Ci0JCQlyZXR1cm47Ci0JCX0KLQotCQl0aS5pcDYgPSAqaXA2OwotCQl0aS50aCA9ICp0 Y3A7Ci0JCXRpLnRoLnRoX3NlcSA9IG50b2hsKHRpLnRoLnRoX3NlcSk7Ci0JCXRpLnRoLnRoX2Fj ayA9IG50b2hsKHRpLnRoLnRoX2Fjayk7Ci0JCXRpLmlwNi5pcDZfbnh0ID0gSVBQUk9UT19UQ1A7 Ci0KLQkJaWYgKHRpLnRoLnRoX2ZsYWdzICYgVEhfQUNLKSB7Ci0JCQlhY2sgPSAwOwotCQkJc2Vx ID0gdGkudGgudGhfYWNrOwotCQkJZmxhZ3MgPSBUSF9SU1Q7Ci0JCX0gZWxzZSB7Ci0JCQlhY2sg PSB0aS50aC50aF9zZXE7Ci0JCQlpZiAoKG0tPm1fZmxhZ3MgJiBNX1BLVEhEUikgIT0gMCkgewot CQkJCS8qCi0JCQkJICogdG90YWwgbmV3IGRhdGEgdG8gQUNLIGlzOgotCQkJCSAqIHRvdGFsIHBh Y2tldCBsZW5ndGgsCi0JCQkJICogbWludXMgdGhlIGhlYWRlciBsZW5ndGgsCi0JCQkJICogbWlu dXMgdGhlIHRjcCBoZWFkZXIgbGVuZ3RoLgotCQkJCSAqLwotCQkJCWFjayArPSBtLT5tX3BrdGhk ci5sZW4gLSBobGVuCi0JCQkJCS0gKHRpLnRoLnRoX29mZiA8PCAyKTsKLQkJCX0gZWxzZSBpZiAo aXA2LT5pcDZfcGxlbikgewotCQkJCWFjayArPSBudG9ocyhpcDYtPmlwNl9wbGVuKSArIHNpemVv ZigqaXA2KSAtCi0JCQkJICAgIGhsZW4gLSAodGkudGgudGhfb2ZmIDw8IDIpOwotCQkJfSBlbHNl IHsKLQkJCQltX2ZyZWVtKG0pOwotCQkJCXJldHVybjsKLQkJCX0KLQkJCWlmICh0Y3AtPnRoX2Zs YWdzICYgVEhfU1lOKQotCQkJCWFjaysrOwotCQkJc2VxID0gMDsKLQkJCWZsYWdzID0gVEhfUlNU fFRIX0FDSzsKKwkJaWYgKCh0Y3AtPnRoX2ZsYWdzICYgVEhfUlNUKSA9PSAwKSB7CisJCQlzdHJ1 Y3QgbWJ1ZiAqbTA7CisJCQltMCA9IHNlbmRfcGt0KGFyZ3MtPm0sICYoYXJncy0+Zl9pZCksCisJ CQkJbnRvaGwodGNwLT50aF9zZXEpLCBudG9obCh0Y3AtPnRoX2FjayksCisJCQkJdGNwLT50aF9m bGFncyB8IFRIX1JTVCk7CisJCQlpZiAobTAgIT0gTlVMTCkKKwkJCQlpcDZfb3V0cHV0KG0wLCBO VUxMLCBOVUxMLCAwLCBOVUxMLCBOVUxMLCBOVUxMKTsKIAkJfQotCQliY29weSgmdGksIGlwNiwg c2l6ZW9mKHRpKSk7Ci0JCS8qCi0JCSAqIG0gaXMgb25seSB1c2VkIHRvIHJlY3ljbGUgdGhlIG1i dWYKLQkJICogVGhlIGRhdGEgaW4gaXQgaXMgbmV2ZXIgcmVhZCBzbyB3ZSBkb24ndCBuZWVkCi0J CSAqIHRvIGNvcnJlY3QgdGhlIG9mZnNldHMgb3IgYW55dGhpbmcKLQkJICovCi0JCXRjcF9yZXNw b25kKE5VTEwsIGlwNiwgdGNwLCBtLCBhY2ssIHNlcSwgZmxhZ3MpOworCQltX2ZyZWVtKG0pOwog CX0gZWxzZSBpZiAoY29kZSAhPSBJQ01QNl9VTlJFQUNIX1JTVCkgeyAvKiBTZW5kIGFuIElDTVB2 NiB1bnJlYWNoLiAqLwogI2lmIDAKIAkJLyoKQEAgLTE2MTIsMTMgKzE1NzQsMTYgQEAKICAgICB1 X2ludDMyX3QgYWNrLCBpbnQgZmxhZ3MpCiB7CiAJc3RydWN0IG1idWYgKm07Ci0Jc3RydWN0IGlw ICppcDsKLQlzdHJ1Y3QgdGNwaGRyICp0Y3A7CisJaW50IGxlbiwgZGlyOworCXN0cnVjdCBpcCAq aCA9IE5VTEw7CQkvKiBzdHVwaWQgY29tcGlsZXIgKi8KKyNpZmRlZiBJTkVUNgorCXN0cnVjdCBp cDZfaGRyICpoNiA9IE5VTEw7CisjZW5kaWYKKwlzdHJ1Y3QgdGNwaGRyICp0aCA9IE5VTEw7CiAK IAlNR0VUSERSKG0sIE1fRE9OVFdBSVQsIE1UX0RBVEEpOwotCWlmIChtID09IDApCisJaWYgKG0g PT0gTlVMTCkKIAkJcmV0dXJuIChOVUxMKTsKLQltLT5tX3BrdGhkci5yY3ZpZiA9IChzdHJ1Y3Qg aWZuZXQgKikwOwogCiAjaWZkZWYgTUFDCiAJaWYgKHJlcGx5dG8gIT0gTlVMTCkKQEAgLTE2Mjks NjcgKzE1OTQsMTE4IEBACiAJKHZvaWQpcmVwbHl0bzsJCS8qIGRvbid0IHdhcm4gYWJvdXQgdW51 c2VkIGFyZyAqLwogI2VuZGlmCiAKLQltLT5tX3BrdGhkci5sZW4gPSBtLT5tX2xlbiA9IHNpemVv ZihzdHJ1Y3QgaXApICsgc2l6ZW9mKHN0cnVjdCB0Y3BoZHIpOworCXN3aXRjaCAoaWQtPmFkZHJf dHlwZSkgeworCWNhc2UgNDoKKwkJbGVuID0gc2l6ZW9mKHN0cnVjdCBpcCkgKyBzaXplb2Yoc3Ry dWN0IHRjcGhkcik7CisJCWJyZWFrOworI2lmZGVmIElORVQ2CisJY2FzZSA2OgorCQlsZW4gPSBz aXplb2Yoc3RydWN0IGlwNl9oZHIpICsgc2l6ZW9mKHN0cnVjdCB0Y3BoZHIpOworCQlicmVhazsK KyNlbmRpZgorCWRlZmF1bHQ6CisJCS8qIFhYWDogbG9nIG1lPyE/ICovCisJCW1fZnJlZW0obSk7 CisJCXJldHVybiAoTlVMTCk7CisJfQorCWRpciA9ICgoZmxhZ3MgJiAoVEhfU1lOIHwgVEhfUlNU KSkgPT0gVEhfU1lOKTsKKwogCW0tPm1fZGF0YSArPSBtYXhfbGlua2hkcjsKKwltLT5tX2ZsYWdz IHw9IE1fU0tJUF9GSVJFV0FMTDsKKwltLT5tX3BrdGhkci5sZW4gPSBtLT5tX2xlbiA9IGxlbjsK KwltLT5tX3BrdGhkci5yY3ZpZiA9IE5VTEw7CisJYnplcm8obS0+bV9kYXRhLCBsZW4pOworCisJ c3dpdGNoIChpZC0+YWRkcl90eXBlKSB7CisJY2FzZSA0OgorCQloID0gbXRvZChtLCBzdHJ1Y3Qg aXAgKik7CisKKwkJLyogcHJlcGFyZSBmb3IgY2hlY2tzdW0gKi8KKwkJaC0+aXBfcCA9IElQUFJP VE9fVENQOworCQloLT5pcF9sZW4gPSBodG9ucyhzaXplb2Yoc3RydWN0IHRjcGhkcikpOworCQlp ZiAoZGlyKSB7CisJCQloLT5pcF9zcmMuc19hZGRyID0gaHRvbmwoaWQtPnNyY19pcCk7CisJCQlo LT5pcF9kc3Quc19hZGRyID0gaHRvbmwoaWQtPmRzdF9pcCk7CisJCX0gZWxzZSB7CisJCQloLT5p cF9zcmMuc19hZGRyID0gaHRvbmwoaWQtPmRzdF9pcCk7CisJCQloLT5pcF9kc3Quc19hZGRyID0g aHRvbmwoaWQtPnNyY19pcCk7CisJCX0KIAotCWlwID0gbXRvZChtLCBzdHJ1Y3QgaXAgKik7Ci0J Ynplcm8oaXAsIG0tPm1fbGVuKTsKLQl0Y3AgPSAoc3RydWN0IHRjcGhkciAqKShpcCArIDEpOyAv KiBubyBJUCBvcHRpb25zICovCi0JaXAtPmlwX3AgPSBJUFBST1RPX1RDUDsKLQl0Y3AtPnRoX29m ZiA9IDU7Ci0JLyoKLQkgKiBBc3N1bWUgd2UgYXJlIHNlbmRpbmcgYSBSU1QgKG9yIGEga2VlcGFs aXZlIGluIHRoZSByZXZlcnNlCi0JICogZGlyZWN0aW9uKSwgc3dhcCBzcmMgYW5kIGRlc3RpbmF0 aW9uIGFkZHJlc3NlcyBhbmQgcG9ydHMuCi0JICovCi0JaXAtPmlwX3NyYy5zX2FkZHIgPSBodG9u bChpZC0+ZHN0X2lwKTsKLQlpcC0+aXBfZHN0LnNfYWRkciA9IGh0b25sKGlkLT5zcmNfaXApOwot CXRjcC0+dGhfc3BvcnQgPSBodG9ucyhpZC0+ZHN0X3BvcnQpOwotCXRjcC0+dGhfZHBvcnQgPSBo dG9ucyhpZC0+c3JjX3BvcnQpOwotCWlmIChmbGFncyAmIFRIX1JTVCkgewkvKiB3ZSBhcmUgc2Vu ZGluZyBhIFJTVCAqLworCQl0aCA9IChzdHJ1Y3QgdGNwaGRyICopKGggKyAxKTsKKwkJYnJlYWs7 CisjaWZkZWYgSU5FVDYKKwljYXNlIDY6CisJCWg2ID0gbXRvZChtLCBzdHJ1Y3QgaXA2X2hkciAq KTsKKworCQkvKiBwcmVwYXJlIGZvciBjaGVja3N1bSAqLworCQloNi0+aXA2X254dCA9IElQUFJP VE9fVENQOworCQloNi0+aXA2X3BsZW4gPSBodG9ucyhzaXplb2Yoc3RydWN0IHRjcGhkcikpOwor CQlpZiAoZGlyKSB7CisJCQloNi0+aXA2X3NyYyA9IGlkLT5zcmNfaXA2OworCQkJaDYtPmlwNl9k c3QgPSBpZC0+ZHN0X2lwNjsKKwkJfSBlbHNlIHsKKwkJCWg2LT5pcDZfc3JjID0gaWQtPmRzdF9p cDY7CisJCQloNi0+aXA2X2RzdCA9IGlkLT5zcmNfaXA2OworCQl9CisKKwkJdGggPSAoc3RydWN0 IHRjcGhkciAqKShoNiArIDEpOworCQlicmVhazsKKyNlbmRpZgorCX0KKworCWlmIChkaXIpIHsK KwkJdGgtPnRoX3Nwb3J0ID0gaHRvbnMoaWQtPnNyY19wb3J0KTsKKwkJdGgtPnRoX2Rwb3J0ID0g aHRvbnMoaWQtPmRzdF9wb3J0KTsKKwl9IGVsc2UgeworCQl0aC0+dGhfc3BvcnQgPSBodG9ucyhp ZC0+ZHN0X3BvcnQpOworCQl0aC0+dGhfZHBvcnQgPSBodG9ucyhpZC0+c3JjX3BvcnQpOworCX0K Kwl0aC0+dGhfb2ZmID0gc2l6ZW9mKHN0cnVjdCB0Y3BoZHIpID4+IDI7CisKKwlpZiAoZmxhZ3Mg JiBUSF9SU1QpIHsKIAkJaWYgKGZsYWdzICYgVEhfQUNLKSB7Ci0JCQl0Y3AtPnRoX3NlcSA9IGh0 b25sKGFjayk7Ci0JCQl0Y3AtPnRoX2FjayA9IGh0b25sKDApOwotCQkJdGNwLT50aF9mbGFncyA9 IFRIX1JTVDsKKwkJCXRoLT50aF9zZXEgPSBodG9ubChhY2spOworCQkJdGgtPnRoX2ZsYWdzID0g VEhfUlNUOwogCQl9IGVsc2UgewogCQkJaWYgKGZsYWdzICYgVEhfU1lOKQogCQkJCXNlcSsrOwot CQkJdGNwLT50aF9zZXEgPSBodG9ubCgwKTsKLQkJCXRjcC0+dGhfYWNrID0gaHRvbmwoc2VxKTsK LQkJCXRjcC0+dGhfZmxhZ3MgPSBUSF9SU1QgfCBUSF9BQ0s7CisJCQl0aC0+dGhfYWNrID0gaHRv bmwoc2VxKTsKKwkJCXRoLT50aF9mbGFncyA9IFRIX1JTVCB8IFRIX0FDSzsKIAkJfQogCX0gZWxz ZSB7CiAJCS8qCi0JCSAqIFdlIGFyZSBzZW5kaW5nIGEga2VlcGFsaXZlLiBmbGFncyAmIFRIX1NZ TiBkZXRlcm1pbmVzCi0JCSAqIHRoZSBkaXJlY3Rpb24sIGZvcndhcmQgaWYgc2V0LCByZXZlcnNl IGlmIGNsZWFyLgotCQkgKiBOT1RFOiBzZXEgYW5kIGFjayBhcmUgYWx3YXlzIGFzc3VtZWQgdG8g YmUgY29ycmVjdAotCQkgKiBhcyBzZXQgYnkgdGhlIGNhbGxlci4gVGhpcyBtYXkgYmUgY29uZnVz aW5nLi4uCisJCSAqIEtlZXBhbGl2ZSAtIHVzZSBjYWxsZXIgcHJvdmlkZWQgc2VxdWVuY2UgbnVt YmVycwogCQkgKi8KLQkJaWYgKGZsYWdzICYgVEhfU1lOKSB7Ci0JCQkvKgotCQkJICogd2UgaGF2 ZSB0byByZXdyaXRlIHRoZSBjb3JyZWN0IGFkZHJlc3NlcyEKLQkJCSAqLwotCQkJaXAtPmlwX2Rz dC5zX2FkZHIgPSBodG9ubChpZC0+ZHN0X2lwKTsKLQkJCWlwLT5pcF9zcmMuc19hZGRyID0gaHRv bmwoaWQtPnNyY19pcCk7Ci0JCQl0Y3AtPnRoX2Rwb3J0ID0gaHRvbnMoaWQtPmRzdF9wb3J0KTsK LQkJCXRjcC0+dGhfc3BvcnQgPSBodG9ucyhpZC0+c3JjX3BvcnQpOwotCQl9Ci0JCXRjcC0+dGhf c2VxID0gaHRvbmwoc2VxKTsKLQkJdGNwLT50aF9hY2sgPSBodG9ubChhY2spOwotCQl0Y3AtPnRo X2ZsYWdzID0gVEhfQUNLOworCQl0aC0+dGhfc2VxID0gaHRvbmwoc2VxKTsKKwkJdGgtPnRoX2Fj ayA9IGh0b25sKGFjayk7CisJCXRoLT50aF9mbGFncyA9IFRIX0FDSzsKKwl9CisKKwlzd2l0Y2gg KGlkLT5hZGRyX3R5cGUpIHsKKwljYXNlIDQ6CisJCXRoLT50aF9zdW0gPSBpbl9ja3N1bShtLCBs ZW4pOworCisJCS8qIGZpbmlzaCB0aGUgaXAgaGVhZGVyICovCisJCWgtPmlwX3YgPSA0OworCQlo LT5pcF9obCA9IHNpemVvZigqaCkgPj4gMjsKKwkJaC0+aXBfdG9zID0gSVBUT1NfTE9XREVMQVk7 CisJCWgtPmlwX29mZiA9IDA7CisJCWgtPmlwX2xlbiA9IGxlbjsKKwkJaC0+aXBfdHRsID0gaXBf ZGVmdHRsOworCQloLT5pcF9zdW0gPSAwOworCQlicmVhazsKKyNpZmRlZiBJTkVUNgorCWNhc2Ug NjoKKwkJdGgtPnRoX3N1bSA9IGluNl9ja3N1bShtLCBJUFBST1RPX1RDUCwgc2l6ZW9mKCpoNiks CisJCSAgICBzaXplb2Yoc3RydWN0IHRjcGhkcikpOworCisJCS8qIGZpbmlzaCB0aGUgaXA2IGhl YWRlciAqLworCQloNi0+aXA2X3ZmYyB8PSBJUFY2X1ZFUlNJT047CisJCWg2LT5pcDZfaGxpbSA9 IElQVjZfREVGSExJTTsKKwkJYnJlYWs7CisjZW5kaWYKIAl9Ci0JLyoKLQkgKiBzZXQgaXBfbGVu IHRvIHRoZSBwYXlsb2FkIHNpemUgc28gd2UgY2FuIGNvbXB1dGUKLQkgKiB0aGUgdGNwIGNoZWNr c3VtIG9uIHRoZSBwc2V1ZG9oZWFkZXIKLQkgKiBYWFggY2hlY2sgdGhpcywgY291bGQgc2F2ZSBh IGNvdXBsZSBvZiB3b3JkcyA/Ci0JICovCi0JaXAtPmlwX2xlbiA9IGh0b25zKHNpemVvZihzdHJ1 Y3QgdGNwaGRyKSk7Ci0JdGNwLT50aF9zdW0gPSBpbl9ja3N1bShtLCBtLT5tX3BrdGhkci5sZW4p OwotCS8qCi0JICogbm93IGZpbGwgZmllbGRzIGxlZnQgb3V0IGVhcmxpZXIKLQkgKi8KLQlpcC0+ aXBfdHRsID0gaXBfZGVmdHRsOwotCWlwLT5pcF9sZW4gPSBtLT5tX3BrdGhkci5sZW47Ci0JbS0+ bV9mbGFncyB8PSBNX1NLSVBfRklSRVdBTEw7CisKIAlyZXR1cm4gKG0pOwogfQogCkBAIC00ODYz LDYgKzQ4NzksOSBAQAogaXBmd190aWNrKHZvaWQgKiBfX3VudXNlZCB1bnVzZWQpCiB7CiAJc3Ry dWN0IG1idWYgKm0wLCAqbSwgKm1uZXh0LCAqKm10YWlscDsKKyNpZmRlZiBJTkVUNgorCXN0cnVj dCBtYnVmICptNiwgKiptNl90YWlscDsKKyNlbmRpZgogCWludCBpOwogCWlwZndfZHluX3J1bGUg KnE7CiAKQEAgLTQ4NzcsNiArNDg5NiwxMCBAQAogCSAqLwogCW0wID0gTlVMTDsKIAltdGFpbHAg PSAmbTA7CisjaWZkZWYgSU5FVDYKKwltNiA9IE5VTEw7CisJbTZfdGFpbHAgPSAmbTY7CisjZW5k aWYKIAlJUEZXX0RZTl9MT0NLKCk7CiAJZm9yIChpID0gMCA7IGkgPCBjdXJyX2R5bl9idWNrZXRz IDsgaSsrKSB7CiAJCWZvciAocSA9IGlwZndfZHluX3ZbaV0gOyBxIDsgcSA9IHEtPm5leHQgKSB7 CkBAIC00ODkyLDE0ICs0OTE1LDM3IEBACiAJCQlpZiAoVElNRV9MRVEocS0+ZXhwaXJlLCB0aW1l X3VwdGltZSkpCiAJCQkJY29udGludWU7CS8qIHRvbyBsYXRlLCBydWxlIGV4cGlyZWQgKi8KIAot CQkJKm10YWlscCA9IHNlbmRfcGt0KE5VTEwsICYocS0+aWQpLCBxLT5hY2tfcmV2IC0gMSwKKwkJ CW0gPSBzZW5kX3BrdChOVUxMLCAmKHEtPmlkKSwgcS0+YWNrX3JldiAtIDEsCiAJCQkJcS0+YWNr X2Z3ZCwgVEhfU1lOKTsKLQkJCWlmICgqbXRhaWxwICE9IE5VTEwpCi0JCQkJbXRhaWxwID0gJigq bXRhaWxwKS0+bV9uZXh0cGt0OwotCQkJKm10YWlscCA9IHNlbmRfcGt0KE5VTEwsICYocS0+aWQp LCBxLT5hY2tfZndkIC0gMSwKKwkJCW1uZXh0ID0gc2VuZF9wa3QoTlVMTCwgJihxLT5pZCksIHEt PmFja19md2QgLSAxLAogCQkJCXEtPmFja19yZXYsIDApOwotCQkJaWYgKCptdGFpbHAgIT0gTlVM TCkKLQkJCQltdGFpbHAgPSAmKCptdGFpbHApLT5tX25leHRwa3Q7CisKKwkJCXN3aXRjaCAocS0+ aWQuYWRkcl90eXBlKSB7CisJCQljYXNlIDQ6CisJCQkJaWYgKG0gIT0gTlVMTCkgeworCQkJCQkq bXRhaWxwID0gbTsKKwkJCQkJbXRhaWxwID0gJigqbXRhaWxwKS0+bV9uZXh0cGt0OworCQkJCX0K KwkJCQlpZiAobW5leHQgIT0gTlVMTCkgeworCQkJCQkqbXRhaWxwID0gbW5leHQ7CisJCQkJCW10 YWlscCA9ICYoKm10YWlscCktPm1fbmV4dHBrdDsKKwkJCQl9CisJCQkJYnJlYWs7CisjaWZkZWYg SU5FVDYKKwkJCWNhc2UgNjoKKwkJCQlpZiAobSAhPSBOVUxMKSB7CisJCQkJCSptNl90YWlscCA9 IG07CisJCQkJCW02X3RhaWxwID0gJigqbTZfdGFpbHApLT5tX25leHRwa3Q7CisJCQkJfQorCQkJ CWlmIChtbmV4dCAhPSBOVUxMKSB7CisJCQkJCSptNl90YWlscCA9IG1uZXh0OworCQkJCQltNl90 YWlscCA9ICYoKm02X3RhaWxwKS0+bV9uZXh0cGt0OworCQkJCX0KKwkJCQlicmVhazsKKyNlbmRp ZgorCQkJfQorCisJCQltID0gbW5leHQgPSBOVUxMOwogCQl9CiAJfQogCUlQRldfRFlOX1VOTE9D SygpOwpAQCAtNDkwOCw2ICs0OTU0LDEzIEBACiAJCW0tPm1fbmV4dHBrdCA9IE5VTEw7CiAJCWlw X291dHB1dChtLCBOVUxMLCBOVUxMLCAwLCBOVUxMLCBOVUxMKTsKIAl9CisjaWZkZWYgSU5FVDYK Kwlmb3IgKG0gPSBtbmV4dCA9IG02OyBtICE9IE5VTEw7IG0gPSBtbmV4dCkgeworCQltbmV4dCA9 IG0tPm1fbmV4dHBrdDsKKwkJbS0+bV9uZXh0cGt0ID0gTlVMTDsKKwkJaXA2X291dHB1dChtLCBO VUxMLCBOVUxMLCAwLCBOVUxMLCBOVUxMLCBOVUxMKTsKKwl9CisjZW5kaWYKIGRvbmU6CiAJY2Fs bG91dF9yZXNldCgmaXBmd190aW1lb3V0LCBkeW5fa2VlcGFsaXZlX3BlcmlvZCpoeiwgaXBmd190 aWNrLCBOVUxMKTsKIH0K ------=_20080519221520_63844-- From owner-freebsd-ipfw@FreeBSD.ORG Mon May 19 21:22:19 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA1601065684 for ; Mon, 19 May 2008 21:22:19 +0000 (UTC) (envelope-from marconemlt@gmail.com) Received: from rn-out-0910.google.com (rn-out-0910.google.com [64.233.170.189]) by mx1.freebsd.org (Postfix) with ESMTP id 894068FC1C for ; Mon, 19 May 2008 21:22:19 +0000 (UTC) (envelope-from marconemlt@gmail.com) Received: by rn-out-0910.google.com with SMTP id j40so673327rnf.12 for ; Mon, 19 May 2008 14:22:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=7RRdHI9PhZS3Hs1WQm/COVwfRcAnigIzxntc6DOwW70=; b=bClJY4GYNkDDOgHISvlyxVPrPHIBcrptTIFNZ47a4Q2bwJomhMoZbUJvgnfT88MrDI+/oi2xs09RqttHsupsN1NoQOW+C3RG1kPheGA/6uqKm7+IYfg52IuAx7+fLiJFIEGgJnx2g+xNT0b0RG2Y1wA7DkG8FURhdd1QFeFLK/0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=U6uMo0P9yH3i/LiMCVdBBoxxXvbgJPpWg7Y8ny5i6XmXZydSaFBLW70o8KM4/UOQEBFhN3Pp1m/Q1NTMCoQBycWk7pnJb9E6IEt4VD0qEvDdEUNOwao4R7sbJ/+MwnMCuIurNXOoCJcpTFhURk/xNTpw6ja1kgw5LMt1zsPh1x0= Received: by 10.142.188.4 with SMTP id l4mr3032602wff.92.1211232138072; Mon, 19 May 2008 14:22:18 -0700 (PDT) Received: by 10.142.240.21 with HTTP; Mon, 19 May 2008 14:22:18 -0700 (PDT) Message-ID: Date: Mon, 19 May 2008 18:22:18 -0300 From: "Marcone Theisen" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Fwd traffic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2008 21:22:19 -0000 Hi, I'm forward all my traffic (port 80) from internal network to other IP (router), but I'm will not forward the traffic with 10.40.0.0 destination. How I can do ? 00018 fwd 10.10.18.254 tcp from 10.10.18.0/24 to any dst-port 80 00020 divert 8668 ip from any to any via em0 00021 allow ip from any to any Thank's, Marcone From owner-freebsd-ipfw@FreeBSD.ORG Sat May 24 02:38:39 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A660A1065676 for ; Sat, 24 May 2008 02:38:39 +0000 (UTC) (envelope-from apache@austin.pins-web.net) Received: from austin.pins-web.net (austin.pins-web.net [217.194.97.84]) by mx1.freebsd.org (Postfix) with ESMTP id 5C3888FC0C for ; Sat, 24 May 2008 02:38:39 +0000 (UTC) (envelope-from apache@austin.pins-web.net) Received: by austin.pins-web.net (Postfix, from userid 48) id 95B78879646; Fri, 23 May 2008 17:43:48 +0200 (CEST) To: freebsd-ipfw@freebsd.org From: Barr Daniel Obiora (ESQ) <> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: <20080523154348.95B78879646@austin.pins-web.net> Date: Fri, 23 May 2008 17:43:48 +0200 (CEST) Subject: ATTENTION X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: fedex_courierbenin201@yahoo.fr List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 May 2008 02:38:39 -0000 Hello Dear, I have Paid the fee for your Cheque Draft.but the manager of Eko Bankn Benin told me that before the check will get to you that it will expire.So i told him to cash $1.5M USA DOLLar all the necessary arrangement of delivering the $1.5M USA DOLLar in cash was made with FedEX DELIVERY COURIER COMPANY. This is the information they need to delivery your package to you.with FEDEX DELIVERY COURIER COMPANY, contact them now. NAME:FEDEX COURIER DELIVERING COMPANY. ATTANTION: PERSON: DR.JERRY LAWRENCE POSITION: FOREIGN DELIVERY DEPARTMENT. ADDRESS: COTONOU BENIN REPUBLIC E-MAIL:fedex_courierbenin201@yahoo.fr Phone number: PHONE NUMBER: +229 9374 0412 Please, Send them your contacts information to able them locate you immediately they arrived in your country with your BOX .This is what they need from you. 1.YOUR FULL NAME 2.YOUR HOME ADDRESS. 3.YOUR CURRENT HOME TELEPHONE NUMBER. 4.YOUR CURRENT OFFICE TELEPHONE. 5. YOUR CURRENT HOME TELEPHONE NUMBER. 6.A COPY OF YOUR PICTURE Note that this is there E-mail contact (fedex_courierbenin201@yahoo.fr) Please make sure you send this needed info's to the Director general of FEDEX DELIVERY COURIER COMPANY BENIN REPUBLIC,DR.JERRY Lawrence with the address given to you. Note. The Fedex Delivery Courier Company don't know the contents of the Box. I registered it as a Box of an African cloths. They don't know it contents money, this is to avoid them delaying with the Box.don't let them know that is money that is in that Box. Thanks and Remain Blessed. Barr Daniel Obiora (ESQ) From owner-freebsd-ipfw@FreeBSD.ORG Sat May 24 21:35:58 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A88411065676 for ; Sat, 24 May 2008 21:35:58 +0000 (UTC) (envelope-from lysergius2001@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by mx1.freebsd.org (Postfix) with ESMTP id 578E28FC0C for ; Sat, 24 May 2008 21:35:58 +0000 (UTC) (envelope-from lysergius2001@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so799517ywe.13 for ; Sat, 24 May 2008 14:35:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=6RpWbJP9MYi4bdCyI49zxBJ6pL8jKjZ86ymL7ynG8ZE=; b=lLJMeZRO/tAN3/RqasdwIQ3j9GtkI5SX3YYT8BVH7u7haFolJsTdBgxaV0kMSIKiTf2860DE52DdA1HiVhpPHZ/AKlBMc8dyW+hiM126Pdy7mYZE1v8b6ejZ85GE6PZrD8K8ZVK0ohntBYn0hs2DbCv2bTWeFi7eq28d3iIS8yo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=Xhfovo+Decpa1RrSt6SX4Ij+h7Awsj6oR12Eq3Z+U2zvnrwojidJHTV4h/YUKf57BtKBqBxcLINW7Id3YnTRQmGz5sShQOr0esLTg5Pg2aD1zZnG1C2rZGIaGs3CwHGZMP0DcwZJ6ybIf6AdDZnK4PRt7CpOAosir96Pjnuv/ko= Received: by 10.151.85.20 with SMTP id n20mr1556259ybl.0.1211663332550; Sat, 24 May 2008 14:08:52 -0700 (PDT) Received: by 10.150.185.15 with HTTP; Sat, 24 May 2008 14:08:52 -0700 (PDT) Message-ID: Date: Sat, 24 May 2008 22:08:52 +0100 From: lysergius2001 To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw rules problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 May 2008 21:35:58 -0000 Hi I am having a problem with my rule set. For some reason the who accesses from my local host, router and other machine on my local net are are being rejected. I have tried opening the port 513 but somehow the rules set does not see this. Any ideas? ---------------------------------------------------------------# # # # IPFW Firewall Rules (ipfw.rules_180508) # # # #-----------------------------------------------------------------------# #!/bin/sh #-----------------------------------------------------------------------# # Flush out the list before we begin. # #-----------------------------------------------------------------------# ipfw -q -f flush #-----------------------------------------------------------------------# # Reset logging # #-----------------------------------------------------------------------# ipfw -q resetlog #-----------------------------------------------------------------------# # Set rules command prefix # #-----------------------------------------------------------------------# cmd="ipfw -q add" #-----------------------------------------------------------------------# # Interface names # #-----------------------------------------------------------------------# pif="ath0" # public interface name of NIC facing the public Internet iif="nve0" # public interface name of NIC facing the private LAN lif="lo0" # Loopback #-----------------------------------------------------------------------# # DYNAMIC RULES # #-----------------------------------------------------------------------# $cmd 0010 check-state #-----------------------------------------------------------------------# # LOOPBACK INTERFACE 127.0.0.1 (lo0) "$lif" # # # # Purpose : allow Loopback and Deny Loopback Spoofing # #-----------------------------------------------------------------------# #---------------# # INBOUND # #---------------# $cmd 0020 allow all from 127.0.0.1 to me in via "$lif" $cmd 0030 allow all from me to 127.0.0.1 out via "$lif" $cmd 0040 allow tcp from 127.0.0.1 to 127.0.0.1 111 keep-state # Allow RPC from Loopback $cmd 0050 allow tcp from 127.0.0.1 to 127.0.0.1 113 keep-state # Allow Identd from loopback #---------------# # OUTBOUND # #---------------# $cmd 0060 allow all from 127.0.0.1 to me in via "$lif" $cmd 0070 allow all from me to 127.0.0.1 out via "$lif" #-----------------------------------------------------------------------# # INTERNAL NETWORK 10.0.0.4 (nve0) "$iif" # # # # Object : No restrictions on LAN Interface # #-----------------------------------------------------------------------# #---------------# # INBOUND # #---------------# $cmd 0100 allow all from 10.0.0.0/8 to me in via $iif $cmd 0200 deny all from 192.168.2.1 to any in via $iif #---------------# # OUTBOUND # #---------------# $cmd 0300 allow all from me to 10.0.0.0/8 out via $iif #-----------------------------------------------------------------------# # EXTERNAL NETWORK 192.168.2.1 (ath0) "$pif" # # # # Object : # #-----------------------------------------------------------------------# #---------------# # INBOUND # #---------------# $cmd 01000 allow tcp from any to me established $cmd 01010 allow tcp from any to me 21 in via $pif # FTP $cmd 01020 allow tcp from any to me 22 in via $pif setup keep-state # SSH $cmd 01030 allow udp from any to me 25 in via $pif setup keep-state # SMTP $cmd 01040 allow tcp from any to me 53 in via $ pif setup keep-state # DNS $cmd 01050 allow udp from any to me 53 in via $pif keep-state $cmd 01060 allow tcp from any to me 80 in via $pif setup keep-state # HTTP/WWW $cmd 01070 allow tcp from any to me 110 in via $pif setup keep-state # POP3 $cmd 01080 allow udp from any to me 161 in via $pif keep-state # SNMP $cmd 01090 allow udp from any to me 27015 in via $pif keep-state # Unassigned # Allow all IPv6 packets through - they are handled by the separate # ipv6 firewall rules in rc.firewall6. $cmd 01100 deny ipv6 from any to any $cmd 01110 deny all from 0.0.0.0/8 to me in via $pif #loopback $cmd 01120 deny all from any to 0.0.0.0/8 in via $pif $cmd 01130 deny all from any to 127.0.0.1/8 in via $pif $cmd 01140 deny all from 127.0.0.0/8 to me in via $pif #loopback $cmd 01150 deny all from any to 10.0.0.0/8 in via $pif $cmd 01160 deny all from 10.0.0.4 to any in via $pif $cmd 01170 deny all from 10.0.0.0/8 to me in via $pif #RFC 1918 private IP $cmd 01180 deny all from any to 172.16.0.0/12 in via $pif $cmd 01190 deny all from 172.16.0.0/12 to me in via $pif #RFC 1918 private IP $cmd 01200 deny all from any to 169.254.0.0/16 in via $pif $cmd 01210 deny all from 192.168.0.0/16 to me in via $pif #RFC 1918 private IP $cmd 01220 deny all from any to 224.0.0.0/4 in via $pif $cmd 01230 deny all from any to 240.0.0.0/4 in via $pif $cmd 01240 deny all from 169.254.0.0/16 to me in via $pif #DHCP auto-config $cmd 01250 deny all from 192.0.2.0/24 to me in via $pif #reserved for docs $cmd 01260 deny all from any to 192.0.2.0/24 in via $pif $cmd 01270 deny all from 204.152.64.0/23 to me in via $pif #Sun cluster interconnect $cmd 01280 deny all from 224.0.0.0/3 to me in via $pif #Class D & E multicast $cmd 01290 deny icmp from any to me in via $pif # Deny public pings $cmd 01300 deny tcp from any to me 113 in via $pif # Deny ident $cmd 01310 deny tcp from any to me 137 in via $pif # Netbios service=name $cmd 01320 deny tcp from any to me 138 in via $pif # Netbios service=datagram $cmd 01330 deny tcp from any to me 139 in via $pif # Netbios service=session $cmd 01340 deny tcp from any to me 81 in via $pif # Unassigned $cmd 01350 deny all from any to me frag in via $pif # Deny any late arriving packets $cmd 01360 deny tcp from any to me established in via $pif #---------------# # OUTBOUND # #---------------# $cmd 01370 deny all from 0.0.0.0/8 to any out via $pif $cmd 01380 deny log all from 127.0.0.1/8 to any out via $pif $cmd 01390 deny log all from 10.0.0.0/8 to any out via $pif $cmd 01400 deny tcp from any to me 25 out via $pif setup keep-state $cmd 01419 deny tcp from any to me 110 out via $pif setup keep-state $cmd 01420 allow all from me to any out via $pif keep-state $cmd 01430 allow icmp from me to any out via $pif $cmd 01440 allow tcp from 192.168.2.1 53 out via $pif setup keep-state # DNS $cmd 01450 allow udp from 192.168.2.1 53 out via $pif keep-state # DNS $cmd 01460 allow udp from any 68 to 192.168.2.1 67 out via $pif keep-state # Bootstrap Protocol Server $cmd 01470 allow tcp from me to any 21 out via $pif # FTP $cmd 01480 allow udp from me to any 53 out via $pif keep-state # DNS $cmd 01490 allow udp from me to any 53 out keep-state $cmd 01500 allow tcp from me to any 80 out via $pif setup keep-state # Allow out non-secure standard www function $cmd 01510 allow tcp from any to any 443 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 01520 allow tcp from me to any out via $pif setup keep-state uid root # Allow out FBSD (make install & CVSUP) functions $cmd 01530 allow icmp from me to any out via $pif keep-state # Allow out ping $cmd 01540 allow tcp from me to any 37 out via $pif setup keep-state # Allow out Time $cmd 01550 allow tcp from me to any 119 out via $pif setup keep-state # Allow out nntp news (i.e. news groups 119)) $cmd 01560 allow tcp from me to any 22 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP $cmd 01570 allow tcp from me to any 43 out via $pif setup keep-state # Allow out whois $cmd 01580 deny log udp from any to me in $cmd 01590 deny log udp from any to me out $cmd 01600 deny log udp from me to any in $cmd 01610 deny log udp from me to any out $cmd 01620 deny log ip from any to me in $cmd 01630 deny log ip from any to me out $cmd 01640 deny log ip from me to any in $cmd 01650 deny log ip from me to any out #-------------------------------------------------------------------------------# # Everything else is denied by default # # deny and log all packets that fell through to see what they are # #-------------------------------------------------------------------------------# $cmd 02000 deny log all from any to any #-------------------------# End of IPFW rules file #----------------------------# -- Lysergius says "Stay light and trust gravity"